How can a Unicorn establish a foreign location as its own lair, when it’s already the lair of a Lich?

The party’s Cleric and Wizard have worked together to summon and bind a Unicorn to their side for a year and a day. Now they get to enjoy an intelligent mount with legendary actions, teleportation, and extra healing. It can even have a lair of its own.

The party has gone inside a Lich’s domain. Is there anything the party can have the Unicorn do so that it can establish this very same location as its own domain, such that it becomes the lair of both the Lich and the Unicorn? If so, what does that process look like?

As an important note, this particular Lich is very pointedly not interfering with the party’s preparations up until they meet. This campaign is more of a hack and slash, so there’s not really any deeper underlying reason as to why. What is important is that it doesn’t violate the rules.

Here’s the subcomponents of this question, as I see it:

  1. Can any creature turn any location into its lair?

  2. Can more than one creature treat the same location as their lair?

  3. What is the process for a creature turning an area into its lair?

I believe the answers to (1) and (2) are yes because there isn’t a specific rule that I know of that forbids this, so the main question here is (3). However, if you can cite a rule that shows the answer to (1) or (2) is a “no,” I believe that in this scenario it renders the succeeding questions moot, so that’s also an acceptable answer.

Establish a symmetric key: KDF based on shared secret and random salt or key wrapping?

I am designing a basic KMS based on a simple HSM, I only have access to: AES256, SHA256, PBKDF2, HMAC (and combinations like AES256-HMAC-SHA256). The admin and the users of the system have a personal HSM where the keys are stored and it works like this:

  1. The administrator generates a key inside his HSM with PBKDF2 (random salt and random seed)
  2. The HSM of the administrator encrypts the new key using AES-256 with a different symmetric key for each user (the key used for key wrapping was established during the physical initialization of the HSM of the user) and sends it to every user that needs it along with key’s metadata. The whole payload (encrypted key value + key’s metadata) is encrypted another time with AES256 with another unique key for each user.
  3. The payload reaches the user that, thanks to the two symmetric keys previously shared with the admin (during the HSM physical initialization), is able to retrieve the requested key and metadata.

I was thinking about another possible approach that could be better but I am not really sure about it:

  1. The administrator establishes a shared secret common to every user of the system. This secret is stored in every HSM belonging to the users or to the administrator.
  2. When a key must be generated, the administrator computes it with PBKDF2 using the common secret and a random salt.
  3. When a key must be sent to any user, only the salt that was used by the administrator is actually sent to the user. The salt may be encrypted with a pre-shared symmetric key (like the example above) and it is used by every user along with the shared secret to generate again the key.

The first approach has the following problems: I need to send the actual key value, I have to perform two encryptions, the HSM must offer an API to retrieve from its internal flash memory the actual value of a key (as cleartext or ciphertext depending on the choice of the caller, the API can be called only if the administrator is logged in the HSM and it can’t be called if the user is logged).

The second approach has the following problems: the secret is common to all users so if an attacker finds the secret of a single user, he founds the secret of everyone. The HSM must offer an API to retrieve the secret as cleartext from its internal flash memory because the secret must be the same for every user, even for users that are added to the system weeks/months later (again this API is callable only if the administrator is logged in the HSM).

I suppose that the second approach, in principle, could be better because the keys are not actually sent from the administrator to the users. But the secret common to everybody is a problem, moreover I imagine that if an attacker finds out the value of a random salt, he may simply try to compute all possible keys given that salt using PBKDF2 and all possible seeds (because the implementation is open source so he knows that the secret is 32 bytes long and he also has access to the PBKDF2 code).

In conclusion I think that in the real world the first approach is more secure, provided that the login as administrator to the HSM is protected by a very complex PIN and possibly by a second factor (i.e. fingerprint). Do you agree? Any thoughts about other vulnerabilities in my approach?

I keep getting this notification from Bitdefender: chrome.exe attempted establish a connection relying on an expired certificate to logs.gettoby.com

Every two fucking minutes I get four notifications like this and it has been going on for two days. It’s driving me mad. Can anyone help me get rid of this? I don’t even own Toby, I didn’t even know what it was until this.

I also get a lot of this: chrome.exe attempted to establish a connection relying on an expired certificate to www.nottfo.com. We blocked the connection to keep your data safe since web pages must renew their certificates with a certification authority to stay current, and outdated security certificates represent a risk.

What even is Nottfo?

What are the exact steps to establish a HTTPS/SSL connection?

Before asking this question I got through a lot of posts for finding a simple explanation about:

  • How an HTTPS/SSL connection establishes?

but I could not find a good one, in addition here, i can ask more question until it becomes clear for me, it may also be helpful for many others. And also there is another question Related to this topic:

  • How the client generates the privet key?

Suddenly not working on Ubuntu Digital Ocean: urllib3 Failed to establish a new connection: [Errno -5] No address associated with hostname

It was working fine a week ago, but all of a sudden it stopped working.

Steps to reproduce:

Python 2.7.12 (default, Nov 12 2018, 14:36:49) [GCC 5.4.0 20160609] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import requests >>> requests.get('http://google.com',{}) Traceback (most recent call last):   File "<stdin>", line 1, in <module>   File "/usr/lib/python2.7/dist-packages/requests/api.py", line 67, in get     return request('get', url, params=params, **kwargs)   File "/usr/lib/python2.7/dist-packages/requests/api.py", line 53, in request     return session.request(method=method, url=url, **kwargs)   File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 480, in request     resp = self.send(prep, **send_kwargs)   File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 609, in send     history = [resp for resp in gen] if allow_redirects else []   File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 211, in resolve_redirects     **adapter_kwargs   File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 588, in send     r = adapter.send(request, **kwargs)   File "/usr/lib/python2.7/dist-packages/requests/adapters.py", line 437, in send     raise ConnectionError(e, request=request) requests.exceptions.ConnectionError: HTTPConnectionPool(host='www.google.com', port=80): Max retries exceeded with url: / (Caused by NewConnectionError('<requests.packages.urllib3.connection.HTTPConnection object at 0x7fc5076e7950>: Failed to establish a new connection: [Errno -5] No address associated with hostname',)) 

Expected output:

<Response [200]> 

What events, tests, and troubles could a party trying to establish a nation expect to face

My players have decided to establish a new nation which consists of Phandalin, Triboar, Red Larch, and all lands in between (per their own highly unofficial declaration). I’m trying to come up with some things to present these new kings and queens that will test their abilities to govern well. Anyone have any ideas mechanics to use to test them without getting too bogged down with the less exciting aspects of being a politician.

A few details that might help:

  • The party is level 12
  • They are a generally chaotic good party consisting of a Rogue,
    Sorcerer, Druid/Ranger, and Rogue/Warlock

  • The campaign started with Lost Mines of Phandelver and transitioned
    into a slightly homebrewed version of Princes of the Apocalypse

  • There is a zombie apocalypse which has destroyed all known
    civilization south of Waterdeep which has created a huge refugee
    issue in the North.

  • Neverwinter recently got infected with the plague and the party
    kidnapped/rescued King Neverember. He’s currently a political
    hostage.

  • Lords Alliance is the main government entity in the region. They used the Witch Hunters, Neverwinter, and Waterdeep as their military forces.

  • The reason the nation was established is because the party freed
    Triboar from the rule of “The Witch Hunters” who had taken it over to create themselves a headquarters from which to hunt down and kill or imprison all Arcane and Nature magic users. So when the party cut the head off the snake they didn’t want to let the locals fall into
    chaos, especially with all of the plague and refugee stuff going on.

establish code convetions, java [on hold]

I am in a company where there seems to be no code conventions. I see for example people taking Optional<List<Stuff>> as parameters to functions, some methods may return nulls, other return Optionals, there is basically zero javadocs (the documentation is outsourced into things like Jira). There are also several thousands LOC of imperative code which writes some fixed length files, one field by one, inside a string builder, and it’s a hell to modify (which, occasionnaly I have to). Also everything is public, interface are rare. We are not using any framework

Codes reviews never take more than 30 secs- 1min, and after looking in the code base I could find obvious mistakes like (there is no X)? count X: Zero, or 4 level nested ifs, etc… which would never never happen if real code reviews were in place.

We are at about 87k LOC on Java side.

My question is: should I care, and try to impose more exhaustive code reviews, general conventions, invest time into refactoring, or it’s am I being too picky?

I am not a senior dev, and we actually have one, so I may definitely encounter resistence to make my voice loud

Cannot establish connection to MySQL database

I have a database created in MySQL Workbench called “mydb” and I used this code to connect with it:

void MainWindow::on_pushButton_clicked() {     QSqlDatabase db=QSqlDatabase::addDatabase("QMYSQL");     db.setHostName("localhost");     db.setPort(3306);     db.setUserName("root");     db.setPassword(password);     db.setDatabaseName("mydb");      if(db.open())     {         QMessageBox::information(this,"Connection","Database connection succesful");     }     else{         QMessageBox::information(this,"Not connected","Database connection not succesful");     } } 

I also run

    bool test = QSqlDatabase::isDriverAvailable("QMYSQL");     qDebug()<<test; 

to check if driver is available and it returns true. I also tested the connection to see if it was successful

img

But when I run my app, it says: “Database connection not succesful”

Cannot establish ipsec between two Cisco1000V routers on Azure

Sorry if this is the wrong place for this question. Im new to stackoverflow.

I’m trying to follow a guide for HA on azure but im falling at the first hurdle.

The youtube video links are expired so i had to fill the gaps on the config and may have made a mistake.

Here is the video which has some diagrams.

Basically my ipsec tunnel will not establish between two routers.

Config from RTR1:

crypto ikev2 proposal azure-proposal encryption aes-cbc-256 aes-cbc-128 3des integrity sha1 group 2 ! crypto ikev2 policy azure-policy proposal azure-proposal ! crypto ikev2 keyring ONE peer 20.39.208.39 address 20.39.208.39 pre-shared-key cisco123 ! ! crypto ikev2 profile ONE match identity remote address 20.39.208.39 255.255.255.255 (also tried any) authentication remote pre-share authentication local pre-share keyring local ONE ! ! crypto ipsec transform-set azure-ipsec-proposal-set esp-aes 256 esp-sha-hmac mode tunnel ! crypto ipsec profile ONE set transform-set azure-ipsec-proposal-set set ikev2-profile ONE ! interface Loopback0 ip address 10.255.3.1 255.255.255.255 ! interface Tunnel1 description to ONE ip unnumbered Loopback0 ip tcp adjust-mss 1350 tunnel source 51.143.190.207 (tried both the interface and the IP) tunnel mode ipsec ipv4 tunnel destination 20.39.208.39 tunnel protection ipsec profile ONE ! interface GigabitEthernet1 ip address dhcp negotiation auto !

Config from RTR2:

crypto ikev2 proposal azure-proposal encryption aes-cbc-256 aes-cbc-128 3des integrity sha1 group 2 ! crypto ikev2 policy azure-policy proposal azure-proposal ! crypto ikev2 keyring ONPREM peer 51.143.190.207 address 51.143.190.207 pre-shared-key cisco123 ! ! crypto ikev2 profile ONPREM match identity remote address 51.143.190.207 255.255.255.255 authentication remote pre-share authentication local pre-share keyring local ONPREM ! ! crypto ipsec transform-set azure-ipsec-proposal-set esp-aes 256 esp-sha-hmac mode tunnel ! crypto ipsec profile ONPREM set transform-set azure-ipsec-proposal-set set ikev2-profile ONPREM ! ! interface Loopback0 ip address 10.255.1.1 255.255.255.255 ! interface Tunnel1 description to ONPREM ip unnumbered Loopback0 ip tcp adjust-mss 1350 tunnel source 20.39.208.39 tunnel mode ipsec ipv4 tunnel destination 51.143.190.207 tunnel protection ipsec profile ONPREM ! interface GigabitEthernet1 ip address dhcp negotiation auto !

I used debug crypto isakmp and ipsec and the only error i saw was

“peer matches none of the profiles” which is why i tried “match identity any” but get the same result.

I have full connectivity between the routers and and ping and telnet between them on the relevant ports.

Any help will be appreciated.

Rik

Unable to establish GRE tunnel between linux-based instance and Cisco Router

I would like to establish a GRE Tunnel connection between a Cisco CSR1000v and an EC2 instance that runs Ubuntu 18.04.02 LTS Linux 4.15.

enter image description here

In R1 CSR1000v the configuration is the following:

interface Tunnel99  ip address 10.10.10.2 255.255.255.0  keepalive 2 3  tunnel source GigabitEthernet1  tunnel destination 54.148.34.17  tunnel path-mtu-discovery end 

The Tunnel interface description is the following

Interface          IP-Address      OK? Method Status                Protocol GigabitEthernet1   172.1.1.7       YES DHCP   up                    up Tunnel99           10.10.10.2      YES manual up                    up 

In the EC2 instance, I got the following configuration

modprobe ip_gre lsmod | grep gr sudo ip tunnel add gre0 mode gre remote 35.163.97.129 local 172.2.2.11 ttl 255 sudo ip link set gre0 up ip addr add 10.10.10.1/24 dev gre0 

The problem is I couldn’t ping the tunnel’s interface from both sides. And the GRE0 interface shows a destination address as same as the tunnel’s IP address.

gre0: flags=209<UP,POINTOPOINT,RUNNING,NOARP>  mtu 8977         inet 10.10.10.1  netmask 255.255.255.0  destination 10.10.10.1         inet6 fe80::200:5efe:ac00:106  prefixlen 64  scopeid 0x20<link>         unspec AC-00-01-06-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 1000  (UNSPEC)         RX packets 171  bytes 4104 (4.1 KB)         RX errors 0  dropped 0  overruns 0  frame 0         TX packets 7  bytes 392 (392.0 B)         TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0